Security researcher Taylor Hornby discovered a critical vulnerability in Zcash's Orchard privacy pool on May 29 that could mint unlimited counterfeit ZEC coins. The disclosure triggered a more than 40% price drop in ZEC over 24 hours as holders assessed whether fake coins had entered the shielded pool. The flaw had existed undetected since Orchard launched in May 2022, surviving multiple security audits before Hornby privately disclosed it to Zcash founder Zooko Wilcox, prompting an emergency patch deployed June 2.
Taylor Hornby Discovers Orchard Counterfeiting Flaw on May 29
Zcash founder Zooko Wilcox confirmed that Taylor Hornby uncovered a counterfeiting vulnerability in Orchard and disclosed it privately to him on May 29. The bug could create undetectable counterfeit ZEC coins that the network would accept as genuine while the fraud stayed invisible inside the shielded pool. Hornby devised a complete exploit with the help of an artificial intelligence model and generated an unlimited number of counterfeit ZEC in local testing.
Developers revealed that the flaw had been present since the Orchard pool launched in May 2022. The bug sat undetected for roughly four years and survived repeated audits by specialists who never spotted it. Because Orchard is a fully shielded system, there is no cryptographic way to prove the bug was never abused. The same privacy guarantees that make Zcash attractive for confidential transactions make it impossible to audit the shielded supply for fake coins minted before the patch landed.
Zcash Open Development Lab Ships Emergency Patch June 2
Hornby reported the issue to the Zcash Open Development Lab, which coordinated an emergency response across wallets, exchanges and node operators before shipping a fix on June 2. In a detailed post on the Zcash community forum, the team walked through the vulnerability and outlined next steps, including proposals to strengthen supply verification.
Despite the severity, developers urged calm with Shielded Labs saying it was not "overly concerned" that counterfeiting had actually occurred. The reasoning was that the bug had survived years of review by some of the world's most capable cryptographers without being found or exploited.
ZEC Price Drops 40% Following Vulnerability Disclosure
ZEC shed roughly 40% of its value within 24 hours of the disclosure. The token had surged past $600 earlier in the cycle, at one point flipping monero by market capitalization, before the Orchard disclosure wiped out part of those gains.
For holders, the immediate cost was price as ZEC unwound a meaningful slice of a rally that had made it one of the year's best-performing crypto assets. The disclosure came as privacy tokens had been surging amid a global pushback against financial surveillance, with ZEC among the standout performers. Institutional interest had also been building, with Grayscale moving toward a regulated ZEC product.
FAQ
What vulnerability did Taylor Hornby discover in Zcash on May 29?
Taylor Hornby discovered a counterfeiting vulnerability in Zcash's Orchard privacy pool on May 29 that could mint unlimited counterfeit ZEC coins. The bug could create undetectable fake coins that the network would accept as genuine while the fraud stayed invisible inside the shielded pool. Hornby devised a complete exploit with the help of an artificial intelligence model and generated unlimited counterfeit ZEC in local testing.
How did Zcash developers respond to the Orchard bug?
The Zcash Open Development Lab coordinated an emergency response across wallets, exchanges and node operators after Taylor Hornby reported the issue. Developers shipped a fix on June 2 and posted a detailed explanation on the Zcash community forum. The team outlined proposals to strengthen supply verification and urged calm, stating they were not "overly concerned" that counterfeiting had actually occurred because the bug survived years of review by capable cryptographers without being exploited.
Why did ZEC price drop more than 40% after the vulnerability disclosure?
ZEC dropped more than 40% over 24 hours as holders weighed whether fake coins had entered the shielded pool before the patch. Because Orchard is a fully shielded system, there is no cryptographic way to prove the bug was never abused. The same privacy guarantees that make Zcash attractive for confidential transactions make it impossible to audit the shielded supply for counterfeit coins minted before the June 2 patch landed.
